Clear as Mud: The New Government Transparency Report

Keeping a promise made by DNI Clapper in August 2013, on Friday the U.S. Government issued its eagerly awaited transparency report for surveillance requests under national security authorities (e.g. FISA, FAA, and the NSL statutes) for the calendar year 2013. While few expected the government’s report to read as clearly as the many provider reports that have been issued over the last year, the government’s unique decisions as to how to count orders and targets makes their report difficult to interpret and even more difficult to compare to previously-issued provider reports.

What is Disclosed

The reports identify the number of requests and number of targets for each of the significant national security legal authorities, including FISA court orders (issued on probable cause); FISA pen register/trap and trace orders (issued by the court on a finding less than probable cause); 702 requests (based on certifications filed with the court but lacking prior review of targets); and national security letters. Of all the statistics, perhaps the most interesting is the government’s choice to characterize 702 activity as occurring under a single order; rather than focusing on certifications or directives (the number of which is apparently still classified). As a result, that single order has an “estimated number of targets affected” of over 89,000 (more on targets affected below).

With regard to business records requests, the government had a difficult chore in deciding how to characterize business record requests for individual targets versus bulk collection. The DNI’s solution was to submit the number of “applications” for business record orders made to the FISA court (178). In terms of correlating this to “targets” or accounts, the government dodged the issue by disclosing the number of individuals who were subject to requests for business records that pertained to specific accounts. Then for bulk surveillance, rather than disclosing the number of individuals affected by these orders (presumably millions), the government chose to disclose the number of selectors (or terms) queried for non-U.S. targets and the number of U.S. persons whose records were returned as a result of the queries.

For National Security Letters (NSLs), the report then takes a different approach to reporting. First, it reports on the number of NSLs issued (19,212). Then, it reports on the number of “requests” contained within those 19,212 NSLs. In this case “requests” refers to the number of identifiers (whether names, emails, phone numbers, etc.) included in the total number of NSLs.

What is Different From Provider Reports

While there are differences among provider transparency reports, most seek to disclose, to the extent they are legally able, the number of each type of legal requests they receive and the number of users impacted by such requests. By detailing the legal authorities used, the public can see which types of legal authorities the government uses most frequently and by inference understand the nature of the data that is provided as a result. For example, when a provider discloses whether a single request is a search warrant or a real-time intercept, it becomes easier to identify what type of information is being disclosed in response. The DNI Transparency Report obscures this kind of analysis through a confusing mix of terminology, broad categories, and ever changing disclosure methodologies. Most of the confusion generated by the report is based on how the government has chosen to identify the people/users who are affected in some way by the surveillance requests.

“Targets” is used by the government to indicate their estimate of the number of actual people who were subject to surveillance requests, even if they were using multiple accounts. Many providers would not be able to track this information because they lack sufficient personal information on their users and thus can only go by the number of user identifiers (e.g. emails, phone numbers, etc. depending on how they identify their users) included with each order because they have no way to know who is operating the account. Given the choice to use “targets,” the government has chosen what is likely the lowest number possible (since one target might be subject to multiple orders to multiple providers) and at the same time prevented the comparison of account identifiers disclosed by providers against the government’s numbers.

The government lumps together all FISA court orders with a probable cause standard — leaving it impossible to distinguish between searches for stored data and real-time surveillance in terms of how frequently they resort to these tools. In the criminal context, providers have been far more detailed in the manner in which they report. The government also lumped together all types of business record requests – whether for bulk collection and or targeted collection and also described the entire 702 process as based on a single order.

The methodology changes for each category of record. Depending on the legal authority at issue, the report covers “orders,” “applications,” NSLs issued, and then to measure the impact on individuals, they vary between “targets,” “individuals,” “selectors,” and “requests.” The lack of a common methodology for reporting and more consistent terminology, makes the report difficult to interpret and perhaps obscures in many cases the real impact of the surveillance that was conducted pursuant to the legal authorities at issue.

Finally, on pen registers and trap and trace orders, the report identifies the number of people targeted by the pen register, which is presumably the account for which the order is set. However, many pen registers/trap orders require the provider to also provide subscriber information for all their customers who were called by the target during the period in question. These people are also “affected” by the order, although they are not captured by the report in any way.

As an inaugural effort, the report importantly follows through on a promise made towards transparency, but reflects the highly cautious nature of the government in openly discussing activities that they would likely prefer to keep secret. This report will leave many scratching their heads to unravel its “secrets” for weeks to come.

Feature photo by Opensourceway from Flickr
Side photo by Fay Ratta from Flickr

About The Author

Marc is the founder and managing member of ZwillGen PLLC and has been regularly providing advice and counsel on issues related to the increasingly complex laws governing Internet practices, including issues related to Electronic Communications Privacy Act (“ECPA”), the Wiretap and Communication Acts, privacy, CAN-SPAM, FISA, spyware, adware, Internet gambling and adult-oriented content. He also helps Internet Service Providers and other clients comply with their compliance obligations pertaining to the discovery and disclosure of customer and subscriber information.